Threat detection for a fleet of industrial assets
Abstract
A system to protect a fleet of industrial assets may include a communication port to exchange information with a plurality of remote industrial assets. An industrial fleet protection system may receive information from the plurality of remote industrial assets or a cloud-based security platform and calculate, based on information received from multiple industrial assets, a current fleet-wide operation feature vector. The industrial fleet protection system may then compare the current fleet-wide operation feature vector with a fleet-wide decision boundary (e.g., separating normal from abnormal operation of the industrial fleet). The system may then automatically transmit a response (e.g., a cyber-attack threat alert or an adjustment to a decision boundary of an industrial asset) when a result of the comparison indicates abnormal operation of the industrial fleet.
Claims
exact text as granted — not AI-modifiedThe invention claimed is:
1. A system to protect a fleet of industrial assets, comprising:
a communication port to exchange information with a plurality of remote industrial assets comprising the fleet of industrial assets, wherein each remote industrial asset is geographically remote from at least one other industrial asset and includes a set of monitoring nodes; and
an industrial fleet protection system coupled to the communication port and including a computer processor to:
(i) receive information from each of the plurality of remote industrial assets, the information from each industrial asset including at least a current feature vector generated based on information from monitoring nodes of that industrial asset and a normal/abnormal status indication for that industrial asset,
(ii) calculate, based on information received from multiple industrial assets, a current fleet-wide operation feature vector,
(iii) compare the current fleet-wide operation feature vector with a fleet-wide decision boundary, the fleet-wide decision boundary separating normal operation of the fleet of industrial assets from abnormal operation of the fleet of industrial assets, and
(iv) automatically transmit a response when a result of the comparison indicates abnormal operation of the fleet of industrial assets, the response including a transmittal, from the industrial fleet protection system to at least one of the industrial assets, an adjustment to an industrial asset decision boundary.
2. The system of claim 1 , wherein the information received from the plurality of remote industrial assets is received via a cloud-based security platform.
3. The system of claim 1 , wherein the industrial fleet protection system comprises a cloud-based monitoring system.
4. The system of claim 1 , wherein the information received from the plurality of industrial assets includes at least one of: an abnormal state alert, an industrial asset feature vector, an industrial asset global feature vector, an industrial asset decision boundary, a series of monitoring node values, a cyber-attack risk probability, a per-asset risk index, and a real-time signature.
5. The system of claim 1 , wherein an abnormal state alert is received from a first industrial asset and the automatic response is transmitted to a second industrial asset.
6. The system of claim 1 , wherein the automatic response includes transmitting, from the industrial fleet protection system to at least one of the industrial assets, at least one of: a potential attack type, a potential attack signature, potential attack time characteristics, an indication of a fleet-wide attack, an indication of an attack limited to a subset of the industrial assets, and an indication that no attack is currently being detected.
7. The system of claim 1 , wherein abnormal operation of the fleet of industrial assets is associated with at least one of: a cyber-attack, a threat warning, and a predicted cyber-attack.
8. The system of claim 1 , wherein calculation of the current fleet-wide operation feature vector is facilitated via dimensionality reduction techniques.
9. The system of claim 8 , wherein the plurality of industrial assets are power plants and the dimensionality reduction techniques are applied to correlated features across power plants including at least one of: generator features, power factors, voltages, current, and generator speed.
10. The system of claim 1 , wherein the industrial fleet protection system is further to: predict asset availability, perform a severity analysis, execute an accommodation process, and confirm an abnormal state alert received from an industrial asset.
11. The system of claim 1 , wherein the industrial assets are associated with at least one of: power plants, gas turbines, heat recovery steam generators, balance of plant controls, steam turbines, aviation engines, ship propulsion systems, locomotive engines, dams, and elements of a power grid.
12. The system of claim 1 , wherein abnormal operation is associated with a cyber-attack and the industrial fleet protection system detects the cyber-attack even when none of the industrial assets detect a cyber-attack.
13. A system to protect an industrial asset that is a member of a fleet of industrial assets, wherein each industrial asset is geographically remote from at least one other industrial asset, comprising:
a normal space data source storing, for each of a plurality of monitoring nodes, a series of normal monitoring node values over time that represent normal operation of the industrial asset;
an abnormal space data source storing, for each of the plurality of monitoring nodes, a series of abnormal monitoring node values over time that represent an abnormal operation of the industrial asset;
an abnormal state detection model creation computer, coupled to the normal space data source and the abnormal space data source, to:
(i) receive the series of normal monitoring node values and generate a set of normal feature vectors,
(ii) receive the series of abnormal monitoring node values and generate a set of abnormal state feature vectors,
(iii) automatically calculate a decision boundary for an abnormal state detection model based on the set of normal feature vectors and the set of threatened feature vectors, the decision boundary separating normal operation of the industrial asset from abnormal operation of the industrial asset, and
(iv) automatically adjust the decision boundary based on information received from a remote industrial fleet protection system;
a plurality of real-time monitoring node signal inputs to receive streams of monitoring node signal values over time that represent a current operation of the industrial asset; and
a threat detection computer platform, coupled to the plurality of real-time monitoring node signal inputs and the threat detection model creation computer, to:
(i) receive the streams of monitoring node signal values,
(ii) for each stream of monitoring node signal values, generate a current monitoring node feature vector,
(iii) select an appropriate decision boundary for each monitoring node, the appropriate decision boundary separating a normal state from an abnormal state for that monitoring node,
(iv) compare each generated current monitoring node feature vector with the selected corresponding appropriate decision boundary, and
(v) automatically transmit at least one current monitoring node feature vector and normal/abnormal status indication to the industrial fleet protection system based on results of said comparisons.
14. The system of claim 13 , wherein the information automatically transmitted to the industrial fleet protection system includes at least one of: an abnormal state alert, an industrial asset feature vector, an industrial asset global feature vector, an industrial asset decision boundary, a series of monitoring node values, a cyber-attack risk probability, a per-asset risk index, and a real-time signature.
15. The system of claim 13 , wherein the information transmission is performed using at least one of: a cloud-based system, an edge-based system, a wireless system, a wired system, a secured network, and a communication system.
16. The system of claim 13 , wherein an abnormal state is associated with at least one of: an actuator attack, a controller attack, a monitoring node attack, a plant state attack, spoofing, physical damage, unit availability, a unit trip, a loss of unit life, and asset damage requiring at least one new part.
17. The system of claim 13 , wherein the threat detection computer platform is further to automatically generate a cyber-threat alert based on: (1) the results of the comparisons, and (2) information received from the industrial fleet protection system including at least one of: a potential attack type, a potential attack signature, potential attack time characteristics, an indication of a fleet-wide attack, an indication of an attack limited to a subset of the industrial assets, and an indication that no attack is currently being detected.
18. A computerized method to protect a fleet of industrial assets, comprising:
receiving, at a cloud-based industrial fleet protection system, information from each of a plurality of remote industrial assets comprising the fleet of industrial assets, wherein each remote industrial asset is geographically remote from at least one other industrial asset and includes a set of monitoring nodes, the information from each industrial asset including at least a current feature vector generated based on information from monitoring nodes of that industrial asset and a normal/abnormal status indication for that industrial asset;
calculating, based on information received from multiple industrial assets, a current fleet-wide operation feature vector;
comparing the current fleet-wide operation feature vector with a fleet-wide decision boundary, the fleet-wide decision boundary separating normal operation of the fleet of industrial assets from abnormal operation of the fleet of industrial assets; and
automatically transmitting a response when a result of the comparison indicates abnormal operation of the fleet of industrial assets, the response including a transmittal, from the industrial fleet protection system to at least one of the industrial assets, an adjustment to an industrial asset decision boundary.
19. The method of claim 18 , wherein the information received from the plurality of industrial assets includes at least one of: an abnormal state alert, an industrial asset feature vector, an industrial asset global feature vector, an industrial asset decision boundary, a series of monitoring node values, a cyber-attack risk probability, a per-asset risk index, and a real-time signature.
20. The method of claim 18 , wherein an abnormal state alert is received from a first industrial asset and the automatic response is transmitted to a second industrial asset.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.